Monday, October 26, 2009

New Mass Web Injection Attack Spreading

Security researchers warn that a new injection attack has infected thousands of websites with malicious IFrames. In order to avoid detection, the rogue IFrames get their src attribute through an onload JavaScript event.

The infection was first spotted by malware analysts from antivirus vendor Sophos on the website of music legend Van Morrison. "What I did see was a heavily obfuscated script injected into the page that references an iframe. A quick analysis of the obfuscated script revealed that it adds an iframe to the page to load content from a remote site," Paul O Baccas, virus and spam researcher at SophosLabs reported on October 22nd.

Since then Sophos has added detection for this threat under Mal/Iframe-N. Mr. Baccas announced yesterday that the number of infections with this malicious piece of code had risen to reach several thousands of websites, including some high profile ones.